Protecting your customers may lead to big penalties in today's police state

Ladar Levison had a thriving business. His encrypted email service was heavily used by corporate users that valued protecting their trade secrets. The Obama administration, however, stepped in and crushed this American success story.

I. Feds Demand Lavabit Hand Over Keys to All its Corporate Customers' Communications, Opening the Door for Corporate Espionage

Ladar Levison was forced to abandon his thriving email business to protect his users from spying by the Obama administration. [Image Source: D Magazine]

In the aftermath, one of the Snowden reports carelessly showed his email -- revealing he had a Lavabit address. Now President Obama and his bipartisan backers had a new victim to sink the teeth of the judicial system into.

Mr. Levison was ordered not just to hand over Mr. Snowden's encryption keys, but the keys of all of his users -- every single one.

Mr. Levison was faced with a tough choice. He could give the government the keys, which federal officials could potentially use to conduct corporate espionage on behalf of their campaign donors without the victims or public ever knowing. That was choice A. Or he could defy the order and face imprisonment under the provision of 50 USC § 1861/18 USC § 2703 (which define the federal government's rights to unconstitutional seizures) and 50 USC § 1881a (which defines the punishment for exercising ones Constitutional rights and refusing to comply to said seizures). That was choice B.

Instead he opted for choice C -- to act in civil disobedience while being careful not to directly defy the legal statutes of the USA PATRIOT Act. He allegedly ducked out his back door when he first saw federal agents coming to his home, denying them a chance to deliver a subpoena.

The Obama administration's FISA court was not happy with this action.

It held Mr. Levison in contempt of court and authorized the U.S. Federal Bureau of Investigations (FBI) to install malware on Mr. Levison's servers -- R -- and fine him $5,000 for every day he did not turn over his customers' encryption keys.

Mr. Levison exercised his Constitutional rights and waited two days, before defiantly delivering a printout of the keys printed in size 4 font. But by then he'd already shut down his business and purged his servers, leaving nothing for the feds to collect.

Mr. Levison stated in a brief release, "[I refuse] to become complicit in crimes against the American people."

The Obama administration was outraged at that refusal. The U.S. Department of Justice (DOJ) briefly considered seeking his imprisonment, according to sources. But after Mr. Levison collected $100,000 USD in donations to support a legal defense, the DOJ declined to seek prison time for Mr. Levison's acts of civil disobedience. Instead it opted to just punish Mr. Levison with the financial penalty stated in the original contempt order -- a fine of $10,000 USD.

Mr. Levison refused to accept even that punishment. He has appealed the fine to the U.S. 4th Circuit Court of Appeals in Richmond, Virginia, arguing his Fourth Amendment protections against search and seizure were violated. He asserts that his business was founded on U.S. privacy and that the government was behaving illegally when it order him to violate all of his users privacy by handing over everyone's encryption keys, in order to allegedly target just one user.

The DOJ is fighting back, looking to nail Mr. Levison with the $10,000 fine. In a just-filed appellate brief it writes:

Mr. Levison [illegally] alerted all of Lavabit’s users, including the target of the investigation, that Lavabit was engaged in litigation with the government and that, rather than comply with the court’s orders, he decided to shut down his business.

The pen/trap order and the search warrant issued by the district court were plainly lawful. The information used by Lavabit to encrypt communications on its systems, what has been referred to as SSL or encryption keys, was both necessary to the installation and operation of a lawfully ordered pen register/trap and trace device as well as subject to disclosure pursuant to 18 U.S.C. § 2703. As such, it was within the district court's power to compel the production of those keys.

It remains to be seen whether the appellate judges will uphold the $10,000 fine. But for now the worst is presumably over and Mr. Levison can celebrate victory to an extent. He won. His client's data is safe from the Obama's administration's PATRIOT Act seizure attempt. And despite that he's a free man.

Obviously, after this fiasco, if he were to start up another company with a similar purpose, I'm sure he would do very well as people will remember the lengths he went through to stop the government.

Additionally, if he were to start up again, the government would be hesitant to double up on him as this is fairly embarrassing for the administration. Also, I'm sure he would start adding a remote wipe script to all of his servers.

quote: Obviously, after this fiasco, if he were to start up another company with a similar purpose, I'm sure he would do very well as people will remember the lengths he went through to stop the government.

Additionally, if he were to start up again, the government would be hesitant to double up on him as this is fairly embarrassing for the administration. Also, I'm sure he would start adding a remote wipe script to all of his servers.

I wouldn't be so sure. Silent Circle (one of the largest remaining email services) also has proactively shut down after seeing what happened to LavaBit.

... the sad reality is that in today's America you may have to leave the country in order to create a service that's safe from PATRIOT Act demands. In the U.S. the Lavabit incident shows that such services are simply impossible to maintain as the government can storm in and ask for everyone's records, using one user's wrong-doing as a justification.

The crimes of the one are used to justify the spying on the many.

While Lavabit and Silent Circle did the best thing -- shutting down to prevent this seizure of private records of law abiding users -- this obviously is an untenable business model as at any time your customers could lose all access and all their data.

Overseas, though, the reach of the U.S. police state is limited. U.S. authorities have been shown to be trying to break encryption on such services, but if carefully implemented, they should be safe from the cybercriminal methodology our government is increasingly embracing.

That's what I meant, as typically seizures are conducted before the user is found guilty in the court of law -- and in Mr. Snowden's case the question is whether he was protected by federal whistleblower laws, given the contradictory and arbitrary nature of the hulking and disorganized U.S. Code (of Law).

My concerns with Mega's proposed services are that when all is said and done, the services are still incorporated in a 5 eyes partner's territory. Then there is the upcoming TPP agreement, and NZ has Mr. 'I will retire in Hawaii' JonKey as current PM. So you are right - in order to avoid the issues with a service on US soil, you may have to go off shore. However, you'd better be pretty careful which shore you go to. In my opinion, Mega may very well have to move again.